Who are your partners, and how rigorous is your certification process?
Spurlin: Application service providers, some vendors, marketing analysis services and with some outsourcing initiatives, we have partners that provide support. Each one, if they want to connect to us or use our data in any way, we have to provide an on-site assessment. A team of engineers will spend a day or two on site, and -- the partner -- goes through a rigorous interview session, which is standardized based on an information security framework I developed. It's a top-down drill-down of their corporate security posture, their policies, technology solutions deployed in their architecture and how they manage and monitor what's in place and if it's in adherence with their security policies.
Then, there's a final gap analysis to determine if all that is in compliance with Home Depot policies.
If there are issues, we recommend remediation, and they must remediate before anything goes into production. We literally connect to their internal networks and perform assessments using custom-built tools and tools bought off the shelf to verify they manage deployments as stated and if they meet our standards.
What kind of resistance do you run into?
Spurlin: Most of them realize the value-add this provides. We report to them what amounts to a good snapshot of their information security operation. They tell us it's just like a Big Four audit and they learn a lot from it. It's done at no charge; it's part of doing business. We take managing our brand and customer data very seriously.
What's this experience like for the partner?
Spurlin: Let's say there's an outsourcing partner who provides us with application services, doing some hosting capabilities for us. We would initially go through our Solutions Development Lifecycle, an established process inside of Home Depot. Right at the conceptual stage of a project, we are engaged. We work lock-step through the design, requirements and implementation portions of a project. After the design and requirements are constructed, we engage vendors, and send memorandum of assessment about what we do, how long it will take and what we'll give you when we're done. These are quick-hit efforts; we fly in the day before, spend a day or two on site. We start out the process with a tour, then go into the interview, meeting with people responsible for different areas of security. We work with a point of contact and assess the logical aspects of the job, secure the data we collect in a PGP file and bring it back with us. The vendor and project teams get reports from us, along with a MORR report, which is a memorandum of risk and remediations, which identifies the risks and recommendations for remediation. You can choose to remediate all the risks we identify and sign off on the report. Otherwise you can't do business with us.
How many of these do you do a year?
Spurlin: We've done, on average, 87 -- new vendor assessments -- a year during last two and a half years since I've been on board. With our Tier 1 partners who touch critical data, they get annual visits from us. It's written into the contract that they see us every year. The provisions state they allow us on site and we perform assessments and they remediate. We have 28 Tier 1 partners. We run our organization just like a consulting team; there are lots of templates. We do hard-core analysis. I'd put our engineers against any in the industry.
And the framework you use is homegrown?
Spurlin: I developed it in the late 1990s; there were no frameworks back then. This is an incarnation from my own mind; a fallback to my consulting days. The first course of business is to understand the business you're working with, and then drill down to what you want to do.
What security demands do you make of partners?
Spurlin: That they have an established information security program, and policies. From a technology standpoint, it's the usual cast of characters: a firewall set to privileged access, strong access controls, antivirus that's up to date and constantly monitored, intrusion detection, an established and repeatable patch management process, a vulnerability management process. We also look at how well they build servers. If they're ASPs, they have to have a standardized reference model they use to build systems, with security elements.
What kind of shape are potential partners usually in?
Spurlin: There's always some remediation; 90% require remediation activities. We see about 50% of things need to be done at the application layer, which follows the industry standard. We're also seeing areas of concern with secure network deployment, segmentation issues. For the most part, it's application layer stuff and policy based stuff. Patch management is getting better; we're seeing more resilience around patch and vulnerability management.
What kind of validation do you get from peers?
Spurlin: At roundtables when I first spoke about this, most of the CISOs raised their eyebrows at it. Over the course of the last couple of years, several have begun using the methodologies I use, and hiring staff to do that.
Most are like Home Depot where the vendor providing me with services is providing another retailer the same services. We'd like to see a standardized certification that's transferable to other retailers they work with. We'd like to see agreed-upon testing criteria and framework, and a certified body that says we're certified. All of us would like to see it happen. We believe it's to the ASPs out there to unite for a type of service like that. The value-add is huge.
What is the return for Home Depot?
Spurlin: The return is huge. We're an $83 billion company, so you can imagine the volume. The cost of sending staff on an assessment is less than 1/10% of that. At the end of the day, the Home Depot brand is the most important thing we protect. Customer loyalty and return to Home Depot and our stakeholders is very high.
That said, it was probably an easy sell to upper management?
Spurlin: It was not a tough sell, everybody jumped on board. We have a Wall of Shame in our office where we pin all the data breach headlines as they happen. When an executive asks why we need to do this, we walk them by the wall.
About the author
Michael S. Mimoso is Senior Editor of Information Security magazine.
This was first published in May 2006